Posted
by
samzenpus
on Thursday April 07, 2011 @03:53AM
from the keep-your-receipt dept.

An anonymous reader writes "Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."

Its still likely that if an eCommerce site is hacked and personal data is stolen, they will still be liable for not taking adequate care in storing personal information such as following best practices for passwords.

If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely.

Actually, that's probably exactly what the French are after; even if it's only a `side-effect` in this case. The French don't like foreign companies taking their market. France is like a mini-version of the world: they got to redo everything themselves, in french style.

Stating that this effect is 'on purpose' is hard to prove. After all, european legislation would come and demand open markets. So they found a sneaky way around it. Make up some privacy breaking law....? Profit!.

I seem to be seeing more and more stories like this, where politicians make incredibly ill-conceived laws due to their ignorance of technical detail.

I don't know if it is the same in france, but in my country, the parliaments seem to be loaded chock full of former lawyers and accountants, and not much else. This creates a massive blind spot in the outlook of the people governing us.

Quite frankly, they are not up to the task of designing law for the current age. The issues facing the world currently seem to be overwhelmingly technical and scientific in nature, whether it be internet privacy, net neutrality, or global warming, and the current breed of politicians seem intent on foisting the stupidest solutions available upon us. Most often because they don't understand the possible alternatives.

Where are the engineers and scientists willing to step up and serve their country politically? We need you.

"Never attribute to malice that which is adequately explained by stupidity". Politics in France are particularly clueless about technology. Worse, they think they know it all because they had some cute web site with streaming video being designed for them. And someone who think he's good without having a clue is dangerous indeed. The current France government is full swing in security posturing, without much concern for the practical consequences that are not so clear to them anyway. All this is enough to explain this new law.

As for being a trick to favor French firms, this is incorrect as local companies are also affected and suffer from this. From the article, one of the companies attacking this law is DailyMotion, and they're French. I don't see any tech company being happy about this.

Lastly, there have been several laws cancelled in France recently due to either being incompatible with Europeans laws or being against France own constitution. That gives you an idea of how much the projects were well prepared and thought out... So this is not done and over.

If enough large internet entities black-holed France as a united front, the law (or France) would go away and other countries would learn a very valuable lesson. That or just declare that since it's a lot of trouble to maintain multiple authentication systems, all French Citizens will have their password set to "password".

An alternative would be to start hacking and publishing password lists for France.

The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

Which means that they would have to store the password, and be able to give it out to authorities.

So, to take your points:

It is still completely possible for Google to use hashed passwords to authenticate users and only "save" the plain password in a "write only" file (text or separate database) with the unhashed passwords...

Yes, but this is stupid and really gets rid of the point of having the hashed password in the first place. Now you have two copies, and even better if you hack the french data you start potentially having information necessary to recover passwords from other more secure countries. As for the 'write only' file, seriously? the only write only file is/dev/null, if you can read it at all there's the possibility that it can be read by bad people - that's what a security breach is... I suppose you could use a printer and print them all, if there's no digital way to read it then it would have to be a physical security breach, but the cost of compliance?

Shit, if they were required to provide a plain password, they could use any of the cracking tools to obtain exactly that one...

Kinda plausible, if only hashes were guaranteed to be one to one, only they aren't as it is possible to have hash collisions where two passwords can point to the same hash. This doesn't usually matter but it does mean you wouldn't be able to guarantee that there was no hash-collision and you were giving the authorities the wrong password, which would be illegal under this law. Granted the authorities may not know this and many not do anything about it, but if they wanted to be evil it wouldn't be hard to prove non-compliance.

or just "reset" the password of the account and give it to the French police.

Yeah, as above this would be giving them the incorrect password and would be violating the law. You really think they want the password to log into the site? Seriously? When they can just demand access? Most likely they're taking advantage of the fact that people tend to use the same passwords, so getting a historical record (and note this information has to be held for at least a year) of passwords for that user means there is a high likelihood that they'll be able to access data outside of their country. The law isn't asking them for their current password, or should I say not JUST their current password, it's asking for ALL of this data for the last year.

It's a data retention law, not a you must provide this to authorities when asked. You have to gather the information all the time and keep it for a minimum of a year and provide all that historical information on request (this is not just the current information). Which means you cannot just provide the current information, or reverse a hash etc.

The law is broad reaching, really intrusive and will cause far more problems for anyone than the french might hope it will solve, but for some reason you (after apparently reading the article) missed entirely the point of it.

You're missing the point. Sure, it is possible to securely store the user's password to where it is essentially impossible for a hacker to obtain it, but why does the French government need it to begin with? If they have the proper legal documentation, they can obtain any of the customer's data from a given site without providing the password. The whole point is that now, they can access other services used by the customer where they used the same password without obtaining a warrant. That is bad.

If they have access to the system checking the passwords though, it's still receiving the password in plaintext from the user.

Depends on the authentication scheme used. In some, only the client ever has access to the plaintext password. For example:

The server stores a salt and a hashed password

The client connects, and receives two salts from the server.

The client hashes the password with both salts and uploads the result.

The server validates the old hash, then stores the new salt and hash.

The other advantage of this is that the server doesn't know when the user has changed its password. The server is required to change the stored password each login, so it's impossible to steal someone's account without their knowledge, unless you get their password via some other means. If you log in, you must change their password, and the next time they log in they will discover that it's changed.

The problem in your scenario is that there's no such thing as a "write only" file...

Not correct. There are lots of ways of setting up a system that can write but not read. For example, a line printer that records a transaction log. To see the password, you have to physically read the printout. You could get the same effect with a dedicated server with a single-use connection to the main server (and no internet connection! Doesn't even need to have a TCP/IP stack) and a well controlled software environment.

Funny how Americans (you're American, right?) started making so many jokes about the French surrendering the moment France became one of the most resistant to US behaviour over Iraq. Doubly amusing when you think how important French assistance was to the American forces in the war of independence.

15 percent in the local elections is not "massive," it's about the same as the fascist-minded Patrick Buchanan got in the US when he ran. There are members of US Congress whose politics=National Front. French society is having deep problems and just like US, UK, etc they are trying to find a scapegoat.

If the law stated this, which, of course, it doesn't. But no one apparently took time to properly read it before firing the paranoia flares.

The "password" bit is part of a data retention clause for account management. On any account that a service provider created for an on-line service or access, you must retain some data for ONE year after the account is closed. Among the bits is, I cite - translated - "password, means to validate it". And, hidden a few lines below is the clincher "such data must be retained only if it was collected".

In other words, the law states that:

1) If you get a password in plaintext and store it as is, you must KEEP a copy of that password for one year after the account has closed

2) If you get a password and store a way of validating that password (such as a hash), you must KEEP a copy of that hash or whatever for one year after the account has closed.

3) If you don't use a password for the service (for example, you are an ISP, and access from your customers to their DSL is entirely authenticated by the telco end), then you keep nothing. But for a year, of course!